IST pushes Congress to attach cyber terms to infrastructure grants
The hard part was never admitting critical infrastructure needs security; it was making grant paperwork say so before the money leaves.
TL;DR
Federal News Network reports that an Institute for Security and Technology memo urges Congress and the Trump administration to embed cybersecurity requirements in federal infrastructure grants. The affected universe is wide: state and local governments, private recipients, hospitals, schools, power grids and water utilities. IST’s sharper point is procedural: cybersecurity has consensus at the podium, then often disappears in the notice of funding opportunity.
Federal News Network reports that the Institute for Security and Technology is pressing Congress and the Trump administration to make cybersecurity a condition of more federal infrastructure funding, including grants that finance IT and digital systems used by hospitals, schools, power grids and water utilities. The memo’s near-term targets are the forthcoming farm bill and surface transportation reauthorization, where IST sees chances to write cyber expectations into the money before it is awarded.
That is a narrower and more useful claim than the usual “critical infrastructure is vulnerable” speech. IST is saying the federal government already has the lever: grants, loans and procurement terms. The problem is that Congress and agencies have not consistently pulled it. According to the Federal News Network account, IST calls the $1.2 trillion Bipartisan Infrastructure Law a missed opportunity because, aside from the $1 billion state and local cybersecurity grant program, broader infrastructure spending carried little cybersecurity planning or upgrade requirement.
The operational gap is familiar. Many federal grants and acquisitions protect government data, including taxpayer or law-enforcement information. That does not automatically protect the systems receiving the money. CISA and the Office of the National Cyber Director already published a December 2024 playbook telling grant-making agencies how to build cybersecurity into Notices of Funding Opportunity, terms and conditions, recipient cyber risk assessments and project cybersecurity plans: https://www.cisa.gov/resources-tools/resources/playbook-strengthening-cybersecurity-federal-grant-programs-critical-infrastructure. IST’s complaint is that the playbook has not become the default behavior.
For practitioners, nothing changes Monday from a policy memo. The useful signal is where requirements are likely to show up next. Grant program managers should expect more pressure to add cyber language to funding documents. State, local and private recipients should expect fewer infrastructure dollars to arrive as pure construction or modernization money, especially where the project touches operational technology or critical services.
Published ·Deep Fathom